Level 2 requires organizations to document their processes to guide their efforts to achieve CMMC Level 2 maturity. This documentation must also allow users to repeat these processes. Organizations must perform their processes as documented to achieve this maturity level.

Level 2 practices are classified as advanced cyber-hygiene practices (often referred to as intermediate cyber hygiene), which is a progression between level 1 and level 3.

CMMC 2.0 Level 2 is equivalent to CMMC 1.02 Level 3, based on NIST SP 800-171. It includes all 14 domains and 110 security controls of CMMC 1.02 that come from NIST 800-171 but eliminates all 20 Level 3 practices and processes unique to CMMC 1.02.

Assessment requirements for level 2 compliance differ based on whether the CUI data is critical or non-critical to national security. Organizations with prioritized acquisitions that handle data that is critical to national security must pass a higher-level third-party assessment (C3PAOs) every 3 years, while non-prioritized acquisitions with data not critical to national security must conduct an annual self-assessment.

Who needs CMMC level 2? 

Contractors and subcontractors currently working with, or planning on working with, the Department of Defense, must demonstrate compliance. If those businesses process, handle, or manage information critical to national security, they will need CMMC Level 2 compliance. In order to achieve CMMC Level 2 compliance, contractors will be required to undergo an extensive CMMC Level 2 third-party assessment.